While pulling together a video describing how to use BitLocker to encrypt a hard drive, I ran into a problem.
More specifically, the machine I was using didn’t have a required hardware component used by BitLocker: the TPM, or Trusted Platform Module.
Fortunately, there’s a workaround.
The Trusted Platform Module
The TPM is, essentially, a hardware encryption component.
It’s fairly complex, but for our purposes, think of it as a tool to generate and store encryption keys used for things like BitLocker’s whole-drive encryption.
Generating the key is important, because the hardware implementation allows somewhat more secure1 keys to be generated more quickly. Storage matters because it prevents a drive encrypted on one machine to be physically moved to another and decrypted there.
By default, BitLocker requires TPM. If you attempt to enable whole-drive encryption without it, you’ll get an error message.
The good news is, most newer, modern machines include a TPM, and have for several years. The bad news is, older machines do not. In my case, the virtual machine software I use apparently doesn’t support exposing the TPM to my Windows 10 virtual machine.
The workaround is a setting in the Group Policy Editor.
Group Policy Editor
In the left-hand navigation bar, expand (by clicking on the arrow to each item’s left, if necessary), in turn:
- Computer Configuration
- Administrative Templates
- Windows Components
- BitLocker Drive Encryption
- Operating System Drives
and in the right-hand pane, locate the setting “Require additional authentication at startup”.
Double-click on that setting to open a dialog in which to edit it.
It will likely default to “Not configured”. Click on Enabled, and then OK to exit and save the setting. You can now close the Group Policy Editor as well.
That’s all there is to it. You can now enable BitLocker, even without a TPM.